Getting the Most From Your Threat Intelligence

<p>Our Director of Security Strategy, Travis Farral, discusses with Dark Reading how security pros can better use the threat intel feeds and tools they already have.</p>


Welcome back to the DarkReading News Desk at Black Hat USA.

I'm Lenny Leibmann.

So many security teams load up on threat intelligence, but never feel like they're any more intelligent.

So I'm going to ask our next guest why.

He is Director of Security Strategy at Anomali.

He's Travis Farral.

Travis, how are you doing?

I'm doing great.

So yes, I feel like there's this emphasis on threat intelligence, and that we're being in courage to sort of gather massive amounts of highly comprehensive threat intelligence.

But my own sense is what we're doing in a way is we're sort of creating this sort of giant false positive, because my organization is not being attacked by all these threats.

And do you think it's bad for me to call this sort of a mass of false positive?

What's your take on this?

No, I actually agree with you in that context.

I think the problem is people hear the buzz word of threat intelligence, they want to do something about it.

And there's all these open source feeds that they can tap into.

So this is what they do.

It seems like the natural place to start is start trying to get some of these feeds and do something with them.

But the problem is, they lack the context of where these things come from.

What does this really mean?

What does this mean to my organization?

And so this is where the false positives sort of very valid problem with threat intelligence comes from.

Yeah, and it's not just sort of the general principle that false positives are bad.

I feel like it's affecting our security spending, it's making us feel like maybe we have to hire more bodies, we may spend some of our time skilling ourselves in ways that we don't have to skill ourselves.

So given the fact that there's this tremendous disparity between how much the threat matrix is increasing, the fact that I'm only going to get 4% more budget next year, I've have really got to watch out and not be distracted by every threat that every threat intelligence database discovers.

Yeah, this is the trouble.

In the world of threat intelligence, you should really be focusing on trying to get more value out of what you already have.

And I think that's what threat intelligence can bring to the table.

But you have to have obviously, the right mix of stuff that you're doing, adding contacts, understanding and getting there in the trenches every day and seeing this phishing email came in, what does this mean?

Instead of just dealing with it and moving on, can I learn something from this?

And then use what I learned to help me next week when I see more phishing emails come in from the same actor?

So tell me a little bit about Anomali specifically.

So how do you help me deal with the fact that threat intelligence, as a general discipline, may not be what I need as much as contextualized, personalized, individuated threat intelligence?

All of these problems, as they're perceived in threat intelligence, are exactly what created ThreatStream which is Anomali's flagship product.

It basically is able to pull in all of these disparate feed sources, wherever they come from, whether it's open source, whether it's from security tools that are outputting things, or even commercial threat intelligence providers, and it applies all of that context to it automatically and helps to bubble up just the most important things for people to be able to deal with.

And also gives analysts the ability to go in and gather lots of contextual information to help them be able to determine what actions they should take as a result.

Now, I assume that also the value of this is not only that I don't sort of waste a lot of tooling and spending and effort.

But one of the things we want to do is we don't want to just think about pre-threat activity and prevention.

But I think all of us are beginning to learn that what we need to do is we also need to sort of shift left as they call it in DevOps, at a response time to something that's already in my environment.

So does this help me do that?

It should, yeah.

If you're doing this right, certain things should start helping you be able to sort of figure out things that are bad before the attack gets used against you.

It could be an email address of a particular actor that they like to use to register that domain.

And now you can monitor for those bad domains and automatically pre-block those before they come in an email.

It's bullet proof hosting, for instance.

If you know that these IPs-- because your intel provider tells you that these are all related to this bulletproof hoster-- you can pre-block all of those.

And any attack that leverages those will automatically be blocked.

There's a lot of other things that can be lifted from the attacks that we see and the intelligence that we can apply to those that can lead to these types of things.

If you have Palo Alto Firewalls for instance, you can automatically push things out to it without having to spend extra cycles.

It's just integrations within the application.

So really tries to help make folks more efficient at what they are doing, and give the analysts everything they need to sort of make these decisions and help them along the way.

Yeah, not only to configure our stuff to stop for threats, but also to recognize when there is some malicious activity taking place so that we can get interdite it more quickly.

Yeah, to help basically, make better use of the tools that are already in the environment.

So there also seem to be a lot of people who are saying, look, you're not going to be able to develop the skills and knowledge in-house.

So more and more they're trying to tell me I should just get security as a service.

I should rely on the economies of scale and the talent pools that these providers can generate.

And I maybe need to stop thinking about even developing my internal capability altogether.

You and I discussed this a little bit before the interview.

I thought your take was pretty interesting on that.

Yeah, coming from a practitioner role, these are the types of things that you have to think about.

You only have so much budget, like you said.

Where do I start, when I know that my analysts need to understand threat intelligence better, what do I do?

Do I go just farm that out?

Or do I invest in these folks?

And I really think it's best for organizations to look at just trying to take their SOC folks, their whatever instant response guys, whatever they have available, and try to help them start getting their toes wet in this world of threat intelligence.

They'll pick it up.

It's not rocket science.

And I think that's much better, because now these folks, they have the context of understanding the internal environment and how things work internally, and all these other things that an external organization just simply isn't going to have.

Yeah, I think there's a lot to be said for also the kind of incentives you can create for your internal people to focus on the kind of threats that you're specifically experiencing, as opposed to somebody who sort of generic knowledge and generic incentives.

I think there's a lot to be said.

Yeah, definitely.

And without having the opportunity to go and individually interview all the folks that company X has hired to manage your stuff, how do you really know how good these guys are at threat intelligence?

Are they just analysts they picked up off the street?

And you fell for some marketing stuff?

How do you really know?

And you can measure how your own people are actually doing.

Yeah, I like that.

So we have less than a minute left.

I think it's probably worthwhile for you to say something about who it is you think probably wants to engage with you.

What's kind of the signals that they'll have that maybe they need Anomali.

And how they should go about engaging you specifically.

Yeah, absolutely.

So we have at just Anomali with an i dot com-- we have lots of resources there.

We have some free tools.

We have a free threat intelligence tool called STAXX that will allow them to start pulling in some feeds and getting some basic information about indicators in those feeds.

We have lots of white papers.

And we have the ability to get engaged with them through our forums that we have there as well.

So they have questions about threat intelligence, any of our products, great way to get in touch with us.

And happy to have them part of our ecosystem.

Yeah, I've noticed you guys have real strong community, strong content.

So I definitely think that's a good way to get started there on the site.

So that is Travis Farral from Anomali.

Don't go away, there's going to be more DarkReading News Desk live from Black Hat after this break.